Re: Upgrade Subversion 1.13 to 1.14 LTS ( Ubuntu 20.04.5)
Thanks for the advice. On Wed, 1 Nov, 2023, 10:52 pm Mark Phippard, wrote: > It sounds like it is settled and you are all set. > > That said, let's pretend these vulnerabilities were real and not patched. > > 1. IMO, you can generally trust Debian/Ubuntu/Red Hat to make good > decisions on backporting security fixes. If they didn't for some > reason they probably had a reason why. > 2. Worst case, you can file an issue with the distro to request the > backport be made and then see what they say > > I just think you are better off using the packages from your distro > than hunting around and installing your own binaries. That actually > increases your likelihood of adding security vulnerabilities to your > machine in the long term. > > Mark > > On Wed, Nov 1, 2023 at 12:20 PM JITHIN K wrote: > > > > > > > > On Wed, Nov 1, 2023 at 9:44 PM Stanimir Stamenkov via users < > users@subversion.apache.org> wrote: > >> > >> Wed, 1 Nov 2023 20:36:17 +0530, /JITHIN K/: > >> > >> > The Subversion version in my Ubuntu server is 1.13.0-3ubuntu0.2 and > when > >> > I check the change log > >> > > https://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog > >> > I could see that security update for CVE-2020-17525 included in the > >> > 1.13.0-3ubuntu0.2 but patches for other three were not included > >> > (CVE-2021-21298 ,CVE-2021-21297,CVE-2021-21296). Does that mean in the > >> > next Ubuntu 20.04.x release they include patches for these > vulnerabilities? > >> > >> Funny, I'm not seeing the latter three related to Subversion: > >> > >> * https://nvd.nist.gov/vuln/detail/CVE-2021-21298 (Node-Red) > >> * https://nvd.nist.gov/vuln/detail/CVE-2021-21297 (Node-Red) > >> * https://nvd.nist.gov/vuln/detail/CVE-2021-21296 (Fleet) > >> > >> > On Mon, Oct 30, 2023 at 9:32 AM JITHIN K wrote: > >> > > >> >> CVE-2020-17525: Denial of service vulnerability in mod_authz_svn > >> >> module. This vulnerability can be exploited by an attacker to cause > >> >> Apache Subversion to crash. > >> >> CVE-2021-21298: Insecure deserialization vulnerability in > >> >> libsvn_xml library. This vulnerability can be exploited by an > >> >> attacker to execute arbitrary code on the Subversion server. > >> >> CVE-2021-21297: Heap-based buffer overflow vulnerability in > >> >> libsvn_fs_x library. This vulnerability can be exploited by an > >> >> attacker to execute arbitrary code on the Subversion server. > >> >> CVE-2021-21296: Integer overflow vulnerability in libsvn_diff > >> >> library. This vulnerability can be exploited by an attacker to cause > >> >> Apache Subversion to crash. > >> -- > >> > > > > Hi Stanimir, > > > > Apology. You are right the other three vulnerabilities are not related > to Subversion. > > > > Thank you. > > > > >
Re: Upgrade Subversion 1.13 to 1.14 LTS ( Ubuntu 20.04.5)
It sounds like it is settled and you are all set. That said, let's pretend these vulnerabilities were real and not patched. 1. IMO, you can generally trust Debian/Ubuntu/Red Hat to make good decisions on backporting security fixes. If they didn't for some reason they probably had a reason why. 2. Worst case, you can file an issue with the distro to request the backport be made and then see what they say I just think you are better off using the packages from your distro than hunting around and installing your own binaries. That actually increases your likelihood of adding security vulnerabilities to your machine in the long term. Mark On Wed, Nov 1, 2023 at 12:20 PM JITHIN K wrote: > > > > On Wed, Nov 1, 2023 at 9:44 PM Stanimir Stamenkov via users > wrote: >> >> Wed, 1 Nov 2023 20:36:17 +0530, /JITHIN K/: >> >> > The Subversion version in my Ubuntu server is 1.13.0-3ubuntu0.2 and when >> > I check the change log >> > https://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog >> > I could see that security update for CVE-2020-17525 included in the >> > 1.13.0-3ubuntu0.2 but patches for other three were not included >> > (CVE-2021-21298 ,CVE-2021-21297,CVE-2021-21296). Does that mean in the >> > next Ubuntu 20.04.x release they include patches for these vulnerabilities? >> >> Funny, I'm not seeing the latter three related to Subversion: >> >> * https://nvd.nist.gov/vuln/detail/CVE-2021-21298 (Node-Red) >> * https://nvd.nist.gov/vuln/detail/CVE-2021-21297 (Node-Red) >> * https://nvd.nist.gov/vuln/detail/CVE-2021-21296 (Fleet) >> >> > On Mon, Oct 30, 2023 at 9:32 AM JITHIN K wrote: >> > >> >> CVE-2020-17525: Denial of service vulnerability in mod_authz_svn >> >> module. This vulnerability can be exploited by an attacker to cause >> >> Apache Subversion to crash. >> >> CVE-2021-21298: Insecure deserialization vulnerability in >> >> libsvn_xml library. This vulnerability can be exploited by an >> >> attacker to execute arbitrary code on the Subversion server. >> >> CVE-2021-21297: Heap-based buffer overflow vulnerability in >> >> libsvn_fs_x library. This vulnerability can be exploited by an >> >> attacker to execute arbitrary code on the Subversion server. >> >> CVE-2021-21296: Integer overflow vulnerability in libsvn_diff >> >> library. This vulnerability can be exploited by an attacker to cause >> >> Apache Subversion to crash. >> -- >> > > Hi Stanimir, > > Apology. You are right the other three vulnerabilities are not related to > Subversion. > > Thank you. > >
Re: Upgrade Subversion 1.13 to 1.14 LTS ( Ubuntu 20.04.5)
Den ons 1 nov. 2023 kl 16:07 skrev JITHIN K : [...] > Does that mean in the next Ubuntu 20.04.x release they include patches for > these vulnerabilities? > I know there has been other e-mails clarifying that those CVEs were not for Subversion, but just to comment that it is probably better to direct this question to the security team of your distribution. The Subversion project has no control over if/how/when downstream packagers apply patches. In the case of Ubuntu: https://wiki.ubuntu.com/SecurityTeam/FAQ#Contact Kind regards, Daniel Sahlberg
Re: Upgrade Subversion 1.13 to 1.14 LTS ( Ubuntu 20.04.5)
On Wed, Nov 1, 2023 at 9:44 PM Stanimir Stamenkov via users < users@subversion.apache.org> wrote: > Wed, 1 Nov 2023 20:36:17 +0530, /JITHIN K/: > > > The Subversion version in my Ubuntu server is 1.13.0-3ubuntu0.2 and when > > I check the change log > > > https://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog > > I could see that security update for CVE-2020-17525 included in the > > 1.13.0-3ubuntu0.2 but patches for other three were not included > > (CVE-2021-21298 ,CVE-2021-21297,CVE-2021-21296). Does that mean in the > > next Ubuntu 20.04.x release they include patches for these > vulnerabilities? > > Funny, I'm not seeing the latter three related to Subversion: > > * https://nvd.nist.gov/vuln/detail/CVE-2021-21298 (Node-Red) > * https://nvd.nist.gov/vuln/detail/CVE-2021-21297 (Node-Red) > * https://nvd.nist.gov/vuln/detail/CVE-2021-21296 (Fleet) > > > On Mon, Oct 30, 2023 at 9:32 AM JITHIN K wrote: > > > >> CVE-2020-17525: Denial of service vulnerability in mod_authz_svn > >> module. This vulnerability can be exploited by an attacker to cause > >> Apache Subversion to crash. > >> CVE-2021-21298: Insecure deserialization vulnerability in > >> libsvn_xml library. This vulnerability can be exploited by an > >> attacker to execute arbitrary code on the Subversion server. > >> CVE-2021-21297: Heap-based buffer overflow vulnerability in > >> libsvn_fs_x library. This vulnerability can be exploited by an > >> attacker to execute arbitrary code on the Subversion server. > >> CVE-2021-21296: Integer overflow vulnerability in libsvn_diff > >> library. This vulnerability can be exploited by an attacker to cause > >> Apache Subversion to crash. > -- > > Hi Stanimir, Apology. You are right the other three vulnerabilities are not related to Subversion. Thank you.
Re: Upgrade Subversion 1.13 to 1.14 LTS ( Ubuntu 20.04.5)
Wed, 1 Nov 2023 20:36:17 +0530, /JITHIN K/: The Subversion version in my Ubuntu server is 1.13.0-3ubuntu0.2 and when I check the change log https://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog I could see that security update for CVE-2020-17525 included in the 1.13.0-3ubuntu0.2 but patches for other three were not included (CVE-2021-21298 ,CVE-2021-21297,CVE-2021-21296). Does that mean in the next Ubuntu 20.04.x release they include patches for these vulnerabilities? Funny, I'm not seeing the latter three related to Subversion: * https://nvd.nist.gov/vuln/detail/CVE-2021-21298 (Node-Red) * https://nvd.nist.gov/vuln/detail/CVE-2021-21297 (Node-Red) * https://nvd.nist.gov/vuln/detail/CVE-2021-21296 (Fleet) On Mon, Oct 30, 2023 at 9:32 AM JITHIN K wrote: CVE-2020-17525: Denial of service vulnerability in mod_authz_svn module. This vulnerability can be exploited by an attacker to cause Apache Subversion to crash. CVE-2021-21298: Insecure deserialization vulnerability in libsvn_xml library. This vulnerability can be exploited by an attacker to execute arbitrary code on the Subversion server. CVE-2021-21297: Heap-based buffer overflow vulnerability in libsvn_fs_x library. This vulnerability can be exploited by an attacker to execute arbitrary code on the Subversion server. CVE-2021-21296: Integer overflow vulnerability in libsvn_diff library. This vulnerability can be exploited by an attacker to cause Apache Subversion to crash. --
Re: Upgrade Subversion 1.13 to 1.14 LTS ( Ubuntu 20.04.5)
Hi, On 2023/11/02 0:06, JITHIN K wrote: Hello Mark, Thank you and appreciate your email. The Subversion version in my Ubuntu server is 1.13.0-3ubuntu0.2 and when I check the change log https://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog I could see that security update for CVE-2020-17525 included in the 1.13.0-3ubuntu0.2 but patches for other three were not included (CVE-2021-21298 , CVE-2021-21297,CVE-2021-21296). Does that mean in the next Ubuntu 20.04.x release they include patches for these vulnerabilities? It seems that CVE-2021-21298 and CVE-2021-21297 are vulnerability of Node-RED, and CVE-2021-21296 is of Fleet. I couldn't find any source that those affects Subversion, except your mail. As far as I saw https://subversion.apache.org/security/, vulnerabilities published and could affect Subversion 1.13.0 are CVE-2020-17525, CVE-2021-28544, and CVE-2022-24070. However those all had been fixed in 1.13.0-3ubuntu0.2. Cheers, -- Yasuhito FUTATSUKI /
Re: Upgrade Subversion 1.13 to 1.14 LTS ( Ubuntu 20.04.5)
Hello Mark, Thank you and appreciate your email. The Subversion version in my Ubuntu server is 1.13.0-3ubuntu0.2 and when I check the change log https://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog I could see that security update for CVE-2020-17525 included in the 1.13.0-3ubuntu0.2 but patches for other three were not included (CVE-2021-21298 , CVE-2021-21297,CVE-2021-21296). Does that mean in the next Ubuntu 20.04.x release they include patches for these vulnerabilities? Thanks. Regards Jithin On Mon, Oct 30, 2023 at 7:23 PM Mark Phippard wrote: > Generally speaking, you do not need to worry about this when using a > supported distro like Ubuntu. While they do not update to new versions > of a package like Subversion, they do their own backporting of > security and other important fixes to the version in their distro. So > the 1.13 that is in Ubuntu is not exactly equivalent to Subversion > 1.13. It is really 1.13 + all fixes that Ubuntu thinks they should > backport. You can see the changelog here and these fixes have all > been backported: > > > http://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog > > This is true across ALL the packages that the distro provides. > > It is not that I do not think upgrading to 1.14 has some value, it is > that in general I do not recommend fighting against your distro. Use > the packages they provide and support. The distro is your real source > of support, not all the OSS projects that are packaged into it. > > Mark > > > > On Mon, Oct 30, 2023 at 9:32 AM JITHIN K wrote: > > > > > > On Thu, Oct 26, 2023 at 7:36 PM Mark Phippard > wrote: > >> > >> On Thu, Oct 26, 2023 at 9:59 AM Nathan Hartman < > hartman.nat...@gmail.com> wrote: > >> >> > >> >> Forwarded Message > >> > > >> > (snip headers) > >> >> > >> >> > >> >> Hello Users Community, > >> >> > >> >> Hope you are doing great. > >> >> I have installed Apache Subversion 1.13 in Ubuntu 20.04.5 using > apt-get ( > >> >> From Ubuntu package ) and also installed libapache2-mod-svn. > >> >> I do not have any plan to upgrade the OS to Ubuntu 22.04. I am > looking if I > >> >> use apt-get upgrade subversion will automatically upgrade Subversion > to > >> >> 1.14 and also upgrade the library. > >> > > >> > > >> > > >> > Not by default (however see below): Generally, once a Ubuntu release > line like 20.04.x is made, software in the Ubuntu package repositories will > get only bug fixes and security fixes, not new features. This means that > the Subversion packages will remain at 1.13.x for Ubuntu 20.04.x when using > the default package repositories. > >> > > >> > However, it is likely that Ubuntu's backports repositories have the > newer Subversion 1.14.x releases. The backports repositories are the > preferred way to install newer releases of software packages on older > releases of Ubuntu. > >> > >> I would add that I do not believe there are compelling reasons to > >> upgrade from 1.13 to 1.14 if your distro hasn't. I would recommend > >> sticking with what your distro is providing unless there is some > >> highly compelling reason to install your own package. This is > >> especially true on a server. > >> > >> If you really have a need for 1.14, I would upgrade your entire distro > >> to a version that provides it. > >> > >> Mark > > > > > > > > > > > > Hello Mark, > > > > > > > > As per my understanding, Subversion 1.13 is no longer supported and no > security patches have been released for the following items in Subversion > 1.13. > > > > > > > > CVE-2020-17525: Denial of service vulnerability in mod_authz_svn module. > This vulnerability can be exploited by an attacker to cause Apache > Subversion to crash. > > CVE-2021-21298: Insecure deserialization vulnerability in libsvn_xml > library. This vulnerability can be exploited by an attacker to execute > arbitrary code on the Subversion server. > > CVE-2021-21297: Heap-based buffer overflow vulnerability in libsvn_fs_x > library. This vulnerability can be exploited by an attacker to execute > arbitrary code on the Subversion server. > > CVE-2021-21296: Integer overflow vulnerability in libsvn_diff library. > This vulnerability can be exploited by an attacker to cause Apache > Subversion to crash. > > > > This is the reason why I am looking for an upgrade to Subversion 1.14.5 > > > > > > Thank you. > > > > >
